An update for python-aiohttp is now available for openEuler-24.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-2194 Final 1.0 1.0 2026-05-03 Initial 2026-05-03 2026-05-03 openEuler SA Tool V1.0 2026-05-03 python-aiohttp security update An update for python-aiohttp is now available for openEuler-24.03-LTS Async http client/server framework (asyncio). Security Fix(es): Insufficient restrictions in header/trailer handling could cause uncapped memory usage.(CVE-2026-22815) An unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation.(CVE-2026-34513) An attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits.(CVE-2026-34514) A response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability.(CVE-2026-34516) For some multipart form fields, aiohttp read the entire field into memory before checking client_max_size.(CVE-2026-34517) When following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers.(CVE-2026-34518) aiohttp is vulnerable to HTTP response splitting attacks. An attacker can insert carriage return (\r) characters in the reason phrase to craft malicious responses, leading to response splitting attacks. This vulnerability affects aiohttp versions up to and including 3.13.3.(CVE-2026-34519) The llhttp parser in aiohttp accepts null bytes and control characters in response header values, which could allow attackers to perform HTTP header injection attacks and bypass security restrictions.(CVE-2026-34520) aiohttp is a Python asynchronous HTTP client/server framework. In version 3.13.3 and earlier, there is a security vulnerability that allows accepting duplicate Host headers, which may lead to HTTP request smuggling attacks. Attackers could exploit this vulnerability to bypass security controls or perform man-in-the-middle attacks.(CVE-2026-34525) An update for python-aiohttp is now available for master/openEuler-20.03-LTS-SP4/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS/openEuler-24.03-LTS-Next/openEuler-24.03-LTS-SP1/openEuler-24.03-LTS-SP2/openEuler-24.03-LTS-SP3/openEuler-24.03-LTS-SP4. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium python-aiohttp https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2194 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-22815 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-34513 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-34514 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-34516 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-34517 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-34518 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-34519 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-34520 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-34525 https://nvd.nist.gov/vuln/detail/CVE-2026-22815 https://nvd.nist.gov/vuln/detail/CVE-2026-34513 https://nvd.nist.gov/vuln/detail/CVE-2026-34514 https://nvd.nist.gov/vuln/detail/CVE-2026-34516 https://nvd.nist.gov/vuln/detail/CVE-2026-34517 https://nvd.nist.gov/vuln/detail/CVE-2026-34518 https://nvd.nist.gov/vuln/detail/CVE-2026-34519 https://nvd.nist.gov/vuln/detail/CVE-2026-34520 https://nvd.nist.gov/vuln/detail/CVE-2026-34525 openEuler-24.03-LTS python-aiohttp-3.13.5-1.oe2403.src.rpm python-aiohttp-debuginfo-3.13.5-1.oe2403.aarch64.rpm python-aiohttp-debugsource-3.13.5-1.oe2403.aarch64.rpm python-aiohttp-help-3.13.5-1.oe2403.aarch64.rpm python3-aiohttp-3.13.5-1.oe2403.aarch64.rpm python-aiohttp-debuginfo-3.13.5-1.oe2403.x86_64.rpm python-aiohttp-debugsource-3.13.5-1.oe2403.x86_64.rpm python-aiohttp-help-3.13.5-1.oe2403.x86_64.rpm python3-aiohttp-3.13.5-1.oe2403.x86_64.rpm Insufficient restrictions in header/trailer handling could cause uncapped memory usage. 2026-05-03 CVE-2026-22815 openEuler-24.03-LTS Medium 6.9 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X python-aiohttp security update 2026-05-03 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2194 An unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation. 2026-05-03 CVE-2026-34513 openEuler-24.03-LTS Low 2.7 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X python-aiohttp security update 2026-05-03 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2194 An attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits. 2026-05-03 CVE-2026-34514 openEuler-24.03-LTS Low 2.7 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X python-aiohttp security update 2026-05-03 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2194 A response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability. 2026-05-03 CVE-2026-34516 openEuler-24.03-LTS Medium 6.6 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X python-aiohttp security update 2026-05-03 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2194 For some multipart form fields, aiohttp read the entire field into memory before checking client_max_size. 2026-05-03 CVE-2026-34517 openEuler-24.03-LTS Low 2.7 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X python-aiohttp security update 2026-05-03 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2194 When following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. 2026-05-03 CVE-2026-34518 openEuler-24.03-LTS Low 2.7 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X python-aiohttp security update 2026-05-03 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2194 aiohttp is vulnerable to HTTP response splitting attacks. An attacker can insert carriage return (\r) characters in the reason phrase to craft malicious responses, leading to response splitting attacks. This vulnerability affects aiohttp versions up to and including 3.13.3. 2026-05-03 CVE-2026-34519 openEuler-24.03-LTS Low 2.7 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X python-aiohttp security update 2026-05-03 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2194 The llhttp parser in aiohttp accepts null bytes and control characters in response header values, which could allow attackers to perform HTTP header injection attacks and bypass security restrictions. 2026-05-03 CVE-2026-34520 openEuler-24.03-LTS Low 2.7 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X python-aiohttp security update 2026-05-03 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2194 aiohttp is a Python asynchronous HTTP client/server framework. In version 3.13.3 and earlier, there is a security vulnerability that allows accepting duplicate Host headers, which may lead to HTTP request smuggling attacks. Attackers could exploit this vulnerability to bypass security controls or perform man-in-the-middle attacks. 2026-05-03 CVE-2026-34525 openEuler-24.03-LTS Medium 6.3 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X python-aiohttp security update 2026-05-03 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2194